The ruling came from the European Court of Justice in a case involving a complaint by Max Schrems about Facebook. The lawsuit was originally brought against the Californian company in Ireland. Here's a backgrounder on the Shrems case:

What is the Max Schrems case?

Schrems is a privacy activist who brought a case against Facebook in Ireland. He said his privacy had been violated by the NSA's mass surveillance programs, first revealed by whistleblower Edward Snowden. Schrems is Austrian, but brought the case against Facebook in Ireland because the company's European headquarters are in Dublin.

The Data Protection Commissioner, Ireland's data regulator, rejected his case because it was bound by a legal agreement called the Safe Harbor agreement — which Schrems subsequently appealed, resulting in the current European Court of Justice case.

What is 'Safe Harbour'?

Safe Harbor (or "Safe Harbour," depending on which side of the Atlantic you're on) is an agreement drawn up between Europe and the US allowing the transfer of private data on users between the two regions. There are different rules concerning data on either side of the Atlantic, but Safe Harbor harmonises them and allows for smooth transfers without worrying about differing legal frameworks.

It's now in jeopardy.

Why is this news right now?

In September, ECJ Advocate General Yves Bots, one of several advisors to the ECJ, put out a legal opinion ahead of the ruling arguing that the safe harbor agreement was "invalid" because of US spying.

Edward Snowden, whose leaks have prompted a massive global debate over government surveillance.
screenshot/HBO
"The surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance," Advocate General Yves Bots said. "In those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection."

He argued that agreements such as the 2000 Safe Harbor law cannot supersede scrutiny at the national level. Such agreements "cannot eliminate or even reduce the national supervisory authorities' powers ... if the national supervisory authorities receive individual complaints, that does not in my view prevent them, by virtue of their investigative powers and their independence, from forming their own opinion on the general level of protection ensured by a third country and from drawing the appropriate conclusion when they determine individual cases."

The ECJ doesn't always follow such legal opinions — but it did so in this case. This is huge: the Irish Minister of State for Data Protection Dara Murphy says that "half of the world's data crosses the Atlantic," Irish Times reports.

What could the consequences of the ECJ rejecting Safe Harbour be?

Google would likely be adversely affected if the ECJ suspends Safe Harbor.
REUTERS/Steve Marcus
It means that the more than 4,500 companies that rely on Safe Harbor for the transfer of data — from tech giants like Google and Facebook to tiny startups — would be opened up to significantly more scrutiny from regulators within Europe.

"Many rely on it as the primary — or even only way to legalise — the transfer of data," privacy lawyer Susan Foster from law firm Mintz Levin told Business Insider.

They now need to find an alternative legal framework for the transfer of data (some do exist), and could also face a far more fractured regulatory environment. Bots says that some local regulators would have the power to "[suspend] the transfer of that data," meaning companies could be faced with a situation like is currently the case in Russia — a local government demanding that all data held about its citizens by stored within the country, rather than in the US.

When did the law change?

Today, Tuesday, October 6, at 9.30AM CET. (8.30AM BST)

Are there workarounds?

"[Safe Harbor] is not the only way you can legitimise the transfer of personal information but it is probably the most important method," Foster says. One option is to directly seek the consent of the data subject, but it could be difficult to do so in cases where companies have previously relied exclusively on Safe Habor.

"Consent has to be explicit and freely given" — which causes a headache for another key use of Safe Habor, the transfer of employee data. "In many countries in Europe you can't rely on consent from employees, because employees are understood not to have free choice." An employee may feel pressured into consenting, so such a consent would not be a valid basis for the transfer. "A lot of multinational companies with employees in Europe rely on Safe Harbor because they don't feel they can rely on consent, quite rightly." Foster says.

Even in instances where consent can be freely given, there could be future hurdles as legal debate in Europe continues as to whether consent is an adequate mechanism (given how people tend to disregard terms and conditions). "At the moment we have consent as a valid basis of the transfer ... I can foresee a world within the next 12 months where it's not."